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About This Document 

This dcxu merit is the release note for HP DC E/9000 Version 1.6 (HP DCE 
1.6) core services for HP-UX 10.30. 

For detailed information about H P DCE 1.6, see Planning and 
Configuring HP DCE 1.6(63190-90071). 

For information about the documentation for H P DCE 1.6, see Chapter 5 
of this document. 
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What's I n This Version 


HP DCE/9000 Version 1.6 provides the features of OSF DCE 1.1, along 
with HP val ue-added features and bug fixes. 
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What's In This Version 
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HP DCE/9000 Version 1.6 Overview 

HP DCE/9000 Version 1.6 (HP DCE 1.6) makes the functionality of OS F 
DCE 1.1 availableon H P/9000 Series 800systems running HP-UX 10.30. 
HP DCE 1.6 also includes H P value-added tools. H P DCE 1.6 provides 
the functionality of H P DCE 1.4.1 and 1.5, along with new features and 
bug fixes. 

As of HP-UX 10.0, H P DCE client software is bundled with the H P-UX 
operating system; other DCE software is distributed as layered software. 

This release note describes H P DCE 1.6 for the H P-UX 10.30 operating 
system. For information about HP DCE application development tools, 
seeHP DCE/ 9000 Version 1.6 Application Development Tools for HP-UX 
10.30 Release Note (B3193-90021). 

HP DCE/9000 Features 

The primary features of H P DCE/9000 include: 

• All of the functionality of OSF DCE 1.1, except for DFS and the DFS 
extended file services. Bundled as a default in HP DCE Version 1.5, 
DFS is not supported in Version 1.6; however. Version 1.5 DFS can be 
upgraded to HP DCE/9000 Enhanced DFS Version 1.5.1, which is 
based on the OSF Version 1.2.1 of DFS. OSF DCE features supported 
by HP DCE 1.5 include Remote Procedure Call (RPC), Security, Cell 
Directory Service (CDS), Distributed Time Service (DTS), and 
CMA-threads. Global Directory Service (GDS) is no longer supported. 

• HP value-added functionality consisting of 12DL, enhanced CDS 
browser, C-H-cl ass libraries, and sample applications. 

• HP value-added tools that make configuration and administration 
easier, including HP DCE Account Manager and HP DCE 
Configuration Manager. 

For detailed information about these features, see Planning and 
Configuring HP DCE 1.6 (B3190-90071). 
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HP Value-Added Features New at HP DCE 1.6 

HP added the following features to DCE in HP DCE 1.6. For detailed 
information about these features, see Planning and Configuring H P 
DCE 1.6. 

• New integrated login features including: 

/ The -timeout option in the pam.conf configuration file. It 
specifies the length of time it is acceptable to wait for a response 
from DCE for the specified function. 

/ The password expiration feature. A command, 

-warn_pwd_expiry <3n> warns users tochangetheir passwords 
if they are goi ng to expi re withi n m days. Another command, 
-force_pwd_change <Ti>forces users to change their passwords 
if they are about to expi re withi n n days. 

/ Cross-cell login using a fully qualified DCE name. It is supported 
for integrated login configurations created by 

auth.adm -i -I dee -b ux or auth.adm -i -I dee 

but not for other configurations created by auth.adm. 

/ Forced password change on login. Administrators can set 

pwdvalid no i n a user's account to force change of password on 
login. 

/ As of H P DCE 1.6, passwd -R becomes passwd -r. 

/ The addition of -e, -g and -h flags to passwd -r dee. 

passwd -r dee-e username changes the username shell in the 
DCE registry only. 

passwd -r dee -g username changes the username gecos (finger) 
information in the DCE registry only. 

passwd -r dee-h usernamechanges the username home directory 
in the DCE registry only. 

/ In HP DCE 1.6, new Kerberos tickets now overwrite any existing 
ticket for the same client and server as long as the tickets are the 
same size. If the existing ticket has not expired, the new ticket 
overwrites the old one only if theauthdata matches. Previously, 
the new Kerberos tickets were always appended to the end of the 
credential file cache, allowing it to grow without bound and also 
requiring time on every lookup to scan over the expi red 
credentials. 
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What's In This Version 

HP DCE/9000 Version 1.6 Overview 

HP Value-Added Features For HP DCE 1.5 

HP added the following features to DCE in HP DCE 1.5. For detailed 
information about these features, see Planning and Configuring H P 
DCE 1.5. 

• HP DCE Measurement Service (DM S) to monitor resource utilization 
and performance of H P DCE 1.6 servers. 

• Support for large UIDs. 

• I ntegrated I ogi n su pport for C D E /PA M. 

• Support for large files API s; however, there is no support for creating 
or operating on large files within DFS. DFS became unavailable with 
Version 1.6. 

• Support for context-switching 64-bit machine registers in DCE 
threads (libcma and libdce). 

• Thread-safe wrappers for the new POSIX 1003.1b calls (waitid, 
nanosleep, and setrliniit64). 

I n addition, H P DCE 1.5 contains numerous bug fixes. 

HP Value-Added Features for HP DCE 1.4.x 

HP added the following features to OSF DCE 1.1 at HP DCE 1.4.1 and 
1.4; for detailed information about these features, see Planning and 
Configuring HP DCE 1.4.1. 

• The enhanced HP DCE Configuration Manager (DCM). 

• The HP Cell Monitor (became unavailable with Version 1.6). 

• The HP DCE Account Manager. 

• The enhanced H P CDS Browser. 

• Single threaded Datagram protocol clients. 

• Single CDS client process per machine. 

• S u pport for K er beros Versi on 5 cl i ents. 

• Configurable checkpointing in security server. 

• dced/dcecp time synchronization. 

• I ncreased performance of local RPC. 

• IDL-H-user-defined exceptions. 
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• Compatibility with ServiceGuard (limited to relocatable IP addresses 
only). 

• Binary compatibility with HP DCE/9000 Versions 1.2, 1.2.1, 1.3, 

1.3.1, and all 1.4.x releases. 

• New CDS system administration tools, including gds_autoconf, 
gdsjookup, and gds_browser. These became unavailable with 
Version 1.6. 

• A set of DCE-integrated login utilities that authenticate users via the 
DCE Security Registry instead of via /etc/passwd and /etc/group. 
Documentation for these utilities can be found in Planning and 
Configuring HP DCE 1.6, Chapter 6, "HP-UX Integrated Login". 

OSF DCE 1.1 Features 

HP DCE 1.6 includes the following OSF DCE l.lfeatures. For 

information about these features, seetheOSF DCE 1.1 documentation, 

which is provided with HP DCE 1.6. 

• Single administrative DCE control program — dcecp. 

• DCE daemon (combines rpcd and sec_clientd) — deed. 

• Cell aliasing. 

• Hierarchical cell naming without transitive trust. 

• Serviceability improvements. 

• Security delegation — intermediary servers can operate on behalf of 
the initiating client while preserving identities and ACLs. 

• Auditing — tracking of security-related events. 

• Extended Generic Security Service Application (GSSAPI) — permits 
use of DCE security by message passing applications. 

• Extended Registry Attribute (ERA) facility— provides a means to 
define arbitrary attri bute types; to attach instances of those types to 
principals, groups, and organizations; and to insert attributes in a 
pri nd pal's credentials for use by special ized security appi ications. For 
example, the ERA facility could be used to support single sign-on 
across non-U NIX platforms and legacy systems by associating 
additional security information with users and groups. 

• Extended logon capabilities — provide the following features: 
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/ Pre-authentication, which improvesthesecurity of authentication 
by eliminating passive attacks on the Key Distribution Center. 

/ Login denial, which permits limitation on the number of 

successive invalid attempts and Security Server enforcement of 
password expiration. 

/ Password management, which permits strength checking of 
user-selected passwords according to site policies and automatic 
generation of random plaintext passwords. 

• ACL Manager Library — provides server writers with an ACL 
manager for use with all servers. 

• Group override — customizes group name mappi ng from host to host 
to allow DCE to adapt to various operating system conventions. 

• Internationalization interfaces — message catalogs for all 
user-visible messages. 

• Character code set interoperability — allow development of RPC 
applications that automatically convert character data from one code 
set to another. 

• IDL compiler performance enhancements — smaller stub size and a 
number of new IDL constructs. 

• RPC performance enhancements — allows additional client sockets 
during peak usage and optimizes RPC run-time packets. 

• Subtree operations — allows large-scale administrative name 
changes within cells. 

• Distributed Time Service (DTS) remote administration. 
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Other Information 

This section contains consequences, recommendations, and other items 
not included in the other sections of this chapter. 

DCE Features Not Supported by OSF DCE 1.1 

Cell renaming is documented but not supported by OSF DCE 1.1 (or by 
HP DCE 1.6). 

Transitive trust between hierarchical cells is documented but not 
supported by OSF DCE 1.1 (or by HP DCE 1.6). 

DCE Features Not Supported By HP DCE 1.6 

HP DCE 1.6 does not support DFS, DFS extended file services, or CDS. 

Features Changing at the Next Release 

This section describes OSF DCE and H P DCE features that will not be 
supported in the next release of HP DCE and a likely change to threads. 

Control Programs and Daemons 

HP DCE 1.4.x replaced the foil owing control programs with dcecp. HP 
DCE 1.6 supports these programs for transition purposes and will not 
support them in future releases. If you use any scripts referencing these 
programs, modify these scri pts to use dcecp i nstead. 

< cdscp 

• rpccp 

• dtscp 

• rgyedit 

• sec admin 

• acl_edit 

The following daemons no longer exist: 

< sec clientd 
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• rpcd 

• cdsclerk 

deed replaces sec_clientd and rpcd. As of H P DCE 1.4.x, a symbolic 
link permits you to run deed as rpcd.The functionality of cdsclerk is 
part of cdsadv in H P DCE 1.4.x. You need to modify any scripts or 
programs that reference these non-existent daemons. 

Transition of ACL Managers in HP DCE 1.6 

OSF DCE 1.1 provides ACL management facilities within libdee. The 
sec_acl_mgr API is obsolete, and it is no longer necessary to write your 
own ACL manager. Refer to the OSF DCE documentation to determine 
how to use the new dce_acl API to greatly reduce the amount of 
specialized ACL code your application ne^stodeal with. 

Before migrating their ACL management layer to the DCE supported 
dce_acl API, FI P DCE 1.5 users were advised to include a 
backward-compatible set of header files that matched the header files 
used by applications in previous FIP DCE releases. For FIP DCE Version 
1.6, backward-compatiblefiles are not necessary. Users who included 
them should now put the previous files back; i.e., replace any instance of: 

• include <dce/rdaclifv0.h>in your application with include 
<dce/rdaclif.h> 

• include <dce/daclmgrv0.h>with include <dce/daclmgr.h> 

In your makefiles and in your application program, change all instances 
of: 


• rdaci i fvO to rdaci i f 

• dad magrvO to dad mgr 

Future Support for POSIX 1003.1c Threads 

TheThreads API in FIP DCE is likely to migrate eventually from Draft 4 
of the POSIX threads standard to the final, ratified 1003.1c standard. 
This migration will result in source incompatibility, and it is 
recommended that application devdopers plan now for this transition. 
FIP plans to preserve binary compatibility and to provide tools to assist 
in source code migration. Flowever, developers should also prepare for 
this change by isolating new threads API usage to macros or wrapper 
APIs. They should minimize the use of signals and use only POSIX 
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semantics when programming with signals. For example, we recommend 
that threaded applications use only the functions sigactionO, 
sigprocmaskO, and sigwait(). 

HP DCE 1.6 U.S./Canada Software 

TheDCE Security component uses the Data Encryption Standard (DES) 
algorithm as its default encryption algorithm. Becausethe U nited States 
State Department restricts the export of DES software, H P supplies two 
binary versions of the deed daemon and DCE library (libdce.land 
-libdce.a): 

• The U.S./Canada version of HP DCE 1.6 is available only to H P 
customers in the United States and Canada. The U.S./Canada version 
of Iibdee supports use of DES to encrypt RPC argument values, via 
the "privacy" authentication level, and the use of DES to encrypt 
gssapi messages, via thegss_seal "confidentiality requested"flag. 
The U.S./Canada version of deed supports secure remote key table 
management. 

• The Export version of H P DCE 1.6 is available to all HP customers. 
The Export version of libdee disables the "privacy" authentication 
level in RPC and also disables all program entry points to DES 
routines. The Export version of deed does not support secure remote 
key table management. 

If an application uses the Export version of the DCE library and specifies 
the "privacy" level or the "confidentiality requested flag", the library 
returns an error at run time. This restriction does not apply to the 
U.S./Canada version of this release. 

See the deed man page for more information about remote key table 
management support in the two versions of the daemon. 


NOTE UsersoftheExport version of HP DCE 1.6 should start deed with the -c 

option. See the deed man page for more information. 

Software Included in the U.S./Canada Version 

The U.S./Canada version of H P DCE 1.6 includes the following software: 

< /usr/lib/libdee.l 

< /opt/dee/I ib/libdee.a 
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< /opt/dce/sbin/dced 

Installing the U.S./Canada Software 

There are special considerations that apply to installing and 
de-installing the U.S./Canada Software. For information, seeHP 
DCE/9000 Version 1.6 U.S./Canada Softwarefor H P-UX 10.30 Release 
Note 

(B3864-90004) or Planning and Configuring H P DCE 1.6. 

Compatibility Among Versions of HP DCE 

HP DCE 1.2 and 1.2.1 (HP-UX 9.03, 9.04, and 9.05), HP DCE 1.3.1 
(HP- UX 10.01), HP DCE 1.4and 1.4.1 (HP-UX 10.01 and 10.10), HP 
DCE 1.4.2 (HP-UX 9.03, 9.04, and 9.05) and H P DCE 1.5 are all 
compatible with HP DCE 1.6. However, you cannot useDFS (supplied 
with H P DCE 1.5 and earlier H P DCE versions) with H P DCE 1.6; H P 
DCE 1.6 does not support DFS. 

Interoperability with Other Implementations 
of OSF DCE 

HP DCE 1.6 is interoperable with a variety of other implementations of 
OSF DCE running on several platforms other than Series 800. See 
Planning and Configuring H P DCE 1.6, Chapter 1, for more information. 
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This chapter describes the known probiems, workarounds, and changes 
in HP DCE/9000 Version 1.6on HP-UX 10.30. 
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Known Problems for HP DCE/9(XX) 
Version 1.6 

This chapter contains a list of the known problems for HP DCE 1.6. 
Where possible, we indicate a work around for the problem. Planning 
and Configuring H P DCE 1.6(63190-90071) also contains additional 
information about many of these problems. 

There are several known problems with integrated login that are 
documented only in Planning and Configuring H P DCE 1.6. For 
information about these problems, refer to Chapter 6 of that manual 
under "Notes, Cautions, and Warnings"and "I ntegrating DCE with 
HP-UX I ntegrated Login". I n the latter section, see "Notes, Cautions and 
Warnings About Using H P-UX I ntegrated Login with DCE" and 
"Configuring uxasa Fallback Technology for DCE." 

OSF DCE 1.1 Limitations 

The following are limitations to OSF DCE 1.1 (and also toHP DCE 1.6): 

• Cell renaming (thedcecp "cellaliasset" command) is not 
supported. 

You can create an alternate cell name using thedcecp "cellalias 
create" command. This command creates a cell alias name without 
changing the primary cell name. 

• Transitive trust between hierarchical cells is not supported. 

• Cell alias names are not automatically propagated across cell 
boundaries. Use of cell aliases across cell boundaries is supported 
when the cell alias name is manually registered in the security 
namespace. 

HP DCE 1.6 Limitations and Known Problems 

The limitations of HP DCE 1.6 are as follows: 

• In DCE 1.6 the DCE_SVC_DEBUG macro has been changed to 
acquire a SVC mutex lock (in prior releases this was done in the 
serviceability library). Because of this, DCE applications based on 
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DCE 1.5 and earlier releases that make use of this macro will be 
binary incompatible with DCE 1.6 applications and so must be 
recompiled under DCE 1.6on HP-UX 10.30. 

• The following messages may be seen during swinstall on systems 
with Integrated Login installed. This error has no detrimental effect, 
and hence can be ignored. 

* Beginning the Batch Swmodify Phase 

WARNING: Cannot delete the definition for "/usr/vue/bin/ 
vuge.auth.new"from the fileset "IntegratedLogin.AUTH-COM 
MON". The file does not exist in this fileset. 

ERROR: The selected software was not modified. All of the 

specified file modifications are invalid. See the ERROR and/ 
or WARNING messages above. 

ERROR: The swmodify command failed for IntegratedLogin.AUTH- 
COMMON... 

• I n order to successfully unconfigure a CDS server and then configure 
a new CDS server on the same machi ne, you must fol low these steps: 

1. Stop and restart the CDS server containing the master replica of 
the root di rectory. 

2. Stop and restart any other CDS servers containing master 
replicas for directories that will be replicated on the newly 
(re-Configured server. 

These steps are necessary because unconfiguring and reconfiguring 
causes the CDS server principal for that host to be deleted and then 
recreated. Asa result, cached security contexts in the CDS servers for 
master replicas contain out of date information, leading to RPC 
failures that can cause the cell's namespace to become unavailable. 

As a precautionary measure, H P recommends that all CDS servers 
containing master replicas be stopped and restarted any time a CDS 
server is unconfigured from the cell. 

• I n a split server configuration, if the secd/dtsd server is started 
before the cdsd/dtsd server, dtsd will fail to start if CDS services are 
not available. The problem lies in the dtsd initialization code 
attempt! ng to export its ti me service i nterface i nto the namespace. 

If this problem occurs, verify that cdsd is running and start dtsd 
using one of the fol lowing commands: 

/opt/dcelocal/bin/dtsd -s (for servers) 

/opt/dcelocal/bin/dtsd -c (for clients) 
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• If you use standard UNIX remote login utilities (remsh, riogin, 
telnet) to perform remote DCE cell administration, these utilities 
may expose the cell administrator's password to network attackers. 

The most secure way to perform cel I administration istologin locally 
on each system that requires administration. 

• A user's DCE credentials are not automatically removed by exiting a 
shell or logging out. 

Use kdestroy to remove credentials that are no longer needed. The 
-e option of kdestroy removes credentials older than a specified 
number of hours. 

• When you run dcecp in "local" mode (that is, when you start dcecp 
with the local option) on a host with deed in partial-service mode, 
there is a possibility that a dcecp "acl modify -add" command will 
not work. The interactive dcecp session may hang or a Bus Error 
may be returned. 

One workaround for this condition is to run dcecp in normal mode on 
a host with deed also in normal mode and then execute the command 
again. Alternatively, you can quit out of "local" mode between acl 
modify -add commands. For more information, see Planning and 
Configuring H P DCE 1.6. 

• For H P DCE 1.6, dceep's seeval activate and seeval deactivate 

commands are asynchronous. They return before the actual change 
takes place within deed. (Prior to FI P DCE 1.6, seeval activate and 
seeval deactivate were synchronous and didn't return until the 
actual state change finish^ in deed.) 

You should use the seeval status command to verify the state 
change. Although future FI P DCE/9000 releases may reimplement 
synchronous seeval activate and deactivate commands, the 
verification by seeval status is still recommended. 

• Not all of the operations of the dcecp host command are 
implemented. 

• The "add cellname as preferred" edsep command has been 
removed. The use of the "add cellname as preferred" command to 
set a new primary cdsalias name for a local cell causes the cell to 
have problems. 
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• Audit events are not generated for authentication services. These 
events are: AS_Request, TGS_TicketReq, TGS_RenewReq, and 
TG S_Val i dateR eq. 

• The chpass command is not supported. 

• The dcecp commands rpcentry, rpcgroup, and rpcprofile do not 

support the -version option. 

• Intercell log! ns are insecure with respect to other log! ns from the 
same cel I; therefore, such logins are disabled by default. To facilitate 
administrative control over intercell logins, two switches have been 
added to the dcecp registry connect command. I f you want to 
permit intercell logins, specify one or both of the following switches to 
the dcecp registry connect command: 


Command 

Definition 

acetvalid 

Marks the local cell account as a valid account. A valid 
local cell account allows users from the foreign cell to 
login to nodes in the local cell. The default is invalid. 

-facctvalid 

Marks the foreign cell account as a valid account. A 
valid foreign cell account allows users from the local 
cell to log in to nodes in the foreign cell. The default is 
invalid. 


For example, to enable peer-to-peer trust between two cells and 
permit intercell logins in both directions between them: 

dcecp>registry connect /.../_cell_name> \ 

-facet cell_admin\ 

-facetpw _cell_admin_pwd>\ 

-acctvalidX 
-facctvalidX 
-group none\ 

-fgroup none\ 

-org none\ 

-forg none\ 

-mypwd _cell_admin_pwd> 

• A machine whose name has been changed must be unconfigured and 
then reconfigured into the cel I; otherwise the old name will be used. 

• Support for I ntegrated Login Password Expiration and Password 
Generation isas follows: When a password expires, the corresponding 
account is disabled. The user cannot log in until the DCE cell 
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administrator reactivates the account. The DCE cell administrator 
can exempt certain principals from this security feature by attaching 
i nstances of the passwd_override E RA to those pri nci pals. 

To prevent this problem, users can add the following parameters to 
an account line in pam.conf: 

/ -warn_pwd_expiry <3n>will warn a user when his password is 
within m days of expiring. 

/ -force_pwd_change <n>wi 11 force a user to change his password 
when it is within n days of expiring. 

• The new deed-based server configuration and execution features are 
not fully functional. The following dcecp commands are not yet 
implemented. They will be provided in a future release: 

/ server stop -method rpc 

/ server enable 

/ server disable 

/ server create -starton auto 

• To enable printing, you must add the Ip administrator to the 
passwd_overridefile; you can dothisonly if you create the pri nci pal 
and account for Ip in the registry. 

• HP MC/ServiceGuard compatibility does not support DFS. 

• xntpd and dtsd cannot run on the same host because they both affect 
the system clock. If xntpd is running, do not start dtsd manually or 
via the DCE configuration tools (DCM, dce_config) without first 
stopping the xntpd daemon. 

• VxFS volumes can not be exported to DFS. 

• Use the follow!ng command to display the dts update man page: 

man dts_update 

• Users of the Export version of HP DCE 1.6 should start deed with 
the-c option. See the deed man page for more information. 

• The DCE-integrated versions of the H P-UX login utilities are 
installed, but are not activated, by the H P DCE installation and 
configuration procedure. This is because most systems will require 
the transfer of account information from /etc/passwd to the DCE 
Security Registry before the system will be useful. 
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A script, /usr/sbin/auth.adm is supplied to activate the utilities once 
your system has been set up with the needed accounts. 

You should not usetheauth.adm script to activate the 

DCE-integrated login utilities until after you haveset uptheaccounts 

necessary for your site in the DCE security service registry. 

Login using a fully qualified DCE name is supported for integrated 
login configurations created by 

/ auth.adm -i -I dee -b ux 

/ auth.adm -i -I dee 

but not for other configurations generated by auth.adm. 

• In normal operation, core dumps of ilogind will be suppressed. To 
reverse this suppression, create a file, /var/adm/ilogin/DEBUG, 
owned by root and with the setuid bit set. 

• I n normal operation, core dumps of libpam_dee.l will be suppressed. 
To reverse this suppression, create a file, 

A/ar/adm/ilogin/LIBPAMDCE_DEBUG, owned by root and with 
the setuid bit set. 

• Group information used during login is obtained from the local 
machine, not the DCE registry. 

• Don't specify "-a dee" if DCE requires generated passwords. 

• Series 817 and 827 systems do not perform well under moderate DCE 
activity. It is therefore recommended that HP DCE 1.6 should not be 
i nstal I ed on these systems. 
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Differences in Functionality 

This section briefly describes differences in functionality from previous 
releases of H P DCE and OSF DCE and other considerations. These 
changes were made at HP DCE 1.4.x. For detailed information about 
these changes, see Planning and Configuring H P DCE 1.6. 

• As of H P DCE 1.4, the audit daemon does not start by default. You 
must set the proper environment variable, export it, and start the 
audit daemon. You can alsostart the audit daemon using dce_config. 
For information about starting the audit daemon, see Chapter 5 of 
Planning and Configuring HP DCE 1.6. 

• HP DCE 1. 6 includes the following changes made at H P DCE 1.4 to 
the dcecp command: 

/ The registry show -replica command displays a new attribute 
field, -supportedversions. 

/ The registry show -replica command no longer displays the 
version attribute. Use the registry show -attr command to 
display the version attribute. 

/ The registry delete -only command has been changed to 

registry destroy. The registry delete command still exists, but 
the -only option is not available. 

/ The registry set command has been renamed registry 

designate. All options formerly supported by registry set are 
supported by registry designate. 

/ The registry modify -version command has been added to 
support cell migration. 

• You can specify the machine string binding in place of the host name 
in the -hostdata show command. (This is an HP DCE 1.4 extension 
of OSF DCE 1.1 functionality.) 

• As of HP DCE 1.4, to join a cell, the user no longer needs to tell 
dce_config the name of the cel I that the user is joining; instead the 
user specifies a name of a security server. The function 
create_dcecfdb() will figure out the primary name of the cel I, and 
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the aliases, and fill in those fields in the local dce_cf.dbfile. The data 
is obtai ned from the remote node via dcecp hostdata commands 
using string bindings. 


NOTE This feature only works if the Security Server is running HP DCE 1.4.1 

or later versions. If the security server is an HP DCE 1.2 or 1.2.1 
machine, users must still provide a cell name. 


• Servers under high stress require non-standard memory and swap. 
For details, see Planning and Configuration HP DCE 1.6. 

• The pe_site file has changed as follows: 

/ There is a new field at the end of each line which is the name of 
the replica at the address. 

/ The pe_sitefile is updated once an hour by deed; if you edit it 
manually, entries for the local cells will be overwritten; other cells, 
however, will not be affected. 

/ You can use the "seeval update -pesite <d NTE RVAL >" dcecp 

command to change the update interval. You can also use the 
seeval update command to force an update to happen 
immediately. 

/ The /krb/krb.conf file is updated by deed. 

• HP DCE 1. 4.x includes support to integrate DCE with HP-UX 
I ntegrated Login. When integrated with DCE, login utilities 
authenticate users via the DCE Security Registry instead of via 
/etc/passwd and /etc/group. The I ntegrated Login utilities include 
login, dtlogin, su, passwd, chsh, chfn, ftpd, telnet, riogin and 
dtsession. Notethat HP-UX Integrated Login is a different product 
from the DCE-I ntegrated Login Product that H P DCE/9000 provides 
on H P-UX 9.x operating systems. See Chapter 6 of Planning and 
Configuring HP DCE 1.6for more information on HP-UX Integrated 
Login and on how to configure it with DCE. 

• Hewlett-Packard supports only the ANSI C compiler for building 
DCE applications. This restriction also applies to applications on 
HP-UX 10.x that usetheHP-UX user space threads library libema. 

• seed supports the following additional options: -audit. 

• DCE RPC-only and NCS-only applications requirethat deed be 
running to provide EP and LLB services, deed has been modified so 
that if it is invoked as rped, it does not require any initialization or 


Chapter 2 


25 




Known Problems and WorkArounds 

Differences in Functionaiity 


bcxotstrap and it supports only EP and LLB services. Thus, you can 
run DCE RPC-only and NCS-only applications on hosts that have not 
been configured into a cell. 

• The command klist -e no longer returns all expired tickets. 

• dce_login supports the -r option, which refreshes a user's 
credentials. It is more secure than using kinit because it uses DCE 
third-party preauthentication. 

• Certain headerfileswereaddedtosupportthetransitiontoOSF DCE 
1.1 ACL Managers, as described intheChapter 1 of this release note. 


NOTE These header files are supported for transition purposes only; they will 

not be supported in the next release of HP DCE. 


• dcecp hostdata has changed as follows: 

When deed is in full service mode the ability to remove new 

hostdata objects has been removed. 

A local privileged user may perform the vast majority of DCE cell 
administrative tasks remotely. This is allowed by these additional 
ACLs for hostdata: 

/ /.:/hosts/foo/config/hostdata 

Grants read and insert permissions to the machine principal and 
to the member of the subsys/dee/deed-admin group. Grants 
read access, i.e., hostdata catalog, to all other users. 

This prevents altering a local filesystem object not residing under 
the /var/opt/dee/deed directory. 

/ /.:/hosts/foo/config/hostdata -io 

Grants all permissions to the machine principal except 
modify -acl (control) to the member of the 
subsys/dee/deed-admin group. Grants read access to all other 
users. 

This allows the remote administration of the DCE configuration, 
for example, cellalias, by the member of the 

subsys/dee/deed-admin group. 

/ /.:/hosts/foo/config/hostdata/post_processors 
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Grants purge and read permissions to the machine principal and 
to the member of the subsys/dce/dced-admin group. Grants 
read access to al I other users. 

This prevents altering post-processors that are executed as a 
privileged user. 

/ /.:/hosts/foo/config/hc)stdata/passwd_override, and 
/.:/hosts/foo/config/hostdata/group_override 

Grants no right to all users. These files should be only accessible 
by the local privileged user. 

• HP's deed supports the new -r option. This option starts deed in 
remote-update mode, which allows DCE cell administration tasks to 
be performed by an administrator on a remote machine. By default, 
deed prevents any remote administration, to help prevent attacks. 
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This chapter describes compatibility and installation requirements for 
HP DCE/9000Version 1.6on HP-UX 10.30. 
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HP DCE/9000 Version 1.6 Installation 
Requirements 

This section provides a brief overview of H P DCE 1.6 installation for H P- 
UX 10.30, followed by installation requirements. 

I nstallation of HP DCE 1.6 is described in Planning and Configuring H P 
DCE 1.6 (B3190-90064); installation of HP-UX 10.30 is described in 
InstalIing HP-UX 10.30 and Updatingfrom HP-UX 10.0to 10.30 
(B2355- 90078). 

Overview of HP DCE Installation 

The following is a brief overview of the installation process for HP DCE 
1.6, which runs on HP-UX 10.30: 

1. Verify that you meet the hardware and software prerequisites for H P 
DCE 1.6. 

2. Obtain a codeword from H P if necessary. 

3. If required, migrate existing systems to HP-UX 10.30; see Planning 
and Configuring HP DCE 1.6for information. 

4. If you are installing the U.S./Canada software, read HP DCE/ 9000 
Version 1.6 U.S./Canada Softwarefor HP-UX 10.30 before you install 
or remove any software. 

5. Decide where you will install HP DCE. 

6. Load H P DCE software from media to a depot usi ng swcopy. 

7. Install filesetson individual systems using swi nstal I. 

Hardware and Software Requirements 

The hardware, software and other system requirements for H P DCE 1.6 
are as follows: 

• The hardware requi rements for H P DCE: H P 9000 Series 800. 
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NOTE Series 817 and 827 systems do not perform well under moderate DCE 

activity. It is therefore recommended that H P DCE 1.6 should not be 
installed on these systems. 


• The operating system required for HP DCE 1.6: HP-UX 10.30. 

• The memory space required to run HP DCE 1.6 is a minimum 32 Mb 
of memory for cl ient-on I y systems; 64 M b for server systems. 

• Disk space required to install HP DCE 1.6 is at least 92 Mb for a full 
installation. (Theexact space required is highly dependent on exactly 
what is installed.) 

• A minimum 100 M b of swap space is recommended for client-only H P 
DCE 1.6 systems; at least 150 M b is recommended for systems 
running one or more DCE servers. Device swap is strongly 
recommended over file system swap. 

• The H P-U X kernel parameter maxfiies must be i ncreased to 256 and 
the parameter maxuser must be increased to 64 for all systems, 
maxdsize may have to be increased for some systems. See Planning 
and Configuring HP DCE 1.6for more information. 

• HP DCE/9000 must be installed on a long-name file system. If you 
have a short- name file system, you must first run convertfs(lm) to 
convert your file system to long names. 

You can check and, if necessary, change the kernel parameters, the swap 
space, or both, via SAM (the H P-UX System Administration Manager). 

For more information about HP DCE products and filesets, see Planning 
and Configuring H P DCE 1.6. 

Codeword 

If your software media was shipped with a codeword certificate, you must 
fol low the i nstructions on the certificate to obtai n a codeword before you 
load the software into the depot. When you load software that requires a 
codeword, you must enter a valid codeword and hardware id. If a 
codeword certificate was not shipped with your software, answer "no" to 
the question: 

Do you want to enter your authorized codeword to access the 
protected software? 
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Other Installation Notes 

Also note the following regarding the installation of H P DCE 1.6: 

• Do not install the Export version of H P DCE 1.6 over a previous 
install of HP DCE 1.6 that included the U.S./Canada Version. 

If you need to install the Export version over a previous install of HP 
DCE 1.6 that included the U.S./Canada Version: 

1. Use swremove DCE-Domestic to remove the U.S./Canada 
Version 

2. Follow the instructions to install the Export version. 

• Install HP DCE 1.6 with the system up. 

• It takes approximately 10 minutes to install HP DCE 1.6. 

• 11 takes at least two hours to migrate a system from H P DCE 1.4.x on 
HP-UX 10.01 or lO.lOtoHP DCE 1.6on HP-UX 10.30. It takes longer 
to migrateHP DCE on HP-UX 9.x because you must first migrateto 
HP-UX 10.01. 

• A number of environment variables, including 

RPC_DEFAULT_ENTRY, RPC_SUPPORTED_PROTSEQS, and 
RPC_RESTRICTED_PORTS affect DCE operations. For detailed 
information, see Planning and Configuring H P DCE 1.6. 

• Known compatibility/incompatibility of H P DCE 1.6 with Third Party 
products are as fol lows: 

• Encina/9000 version A.20.20 is compatible with HP DCE 1.6. 

Distribution Media 

HP DCE/9000 Version 1.6 software is shipped on CD-ROM only. 

Seethe manual I nstalling H P-UX 10.30 and Updating from H P-UX 10.0 
to 10.30 (B2355-90078) for more information on distribution media. 

Migrating to HP DCE 1.6 

If you have HP DCE/9000 Version 1.3.1, 1.4, 1.4.1 or 1.5 installed, you 
can save your existing cell configuration and databases, install H P 
DCE/9000 Version 1.6, and then restore your former cell configuration. 
Or, you can discard your previous cell configuration and database 
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information, update your systems to H P DCE 1.6, and configure a new 
cell from scratch. Both procedures, along with information about 
supported migration paths and compatibility issues, are detailed in 
Chapter 2 of Planning and Configuring H P DCE 1.6. 


NOTE HP DCE 1.6 does not support direct migration from versions of H P DCE 

that run on HP-UX 9.x (HP DCE 1.2, 1.2.1, and 1.4.2). However, you can 
migrate from those versions of HP DCE by migrating first to HP DCE 1.4 
on H P-UX 10.01 and then migrating to HP DCE 1.6 on H P-UX 10.30. 
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This chapter describes fixes and patches for H P DCE/9000 Version 1.6 on 
HP-UX 10.30. 
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Fixes in HP DCE/9(XX) Version 1.6 

Many problems were fixed in HP DCE/9000 Version 1.6. For detailed 
information, see the Software Release Bulletin (SRB). 
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What Manuals Are Available For 
This Version 


This chapter describes the dcxiumentation for H P DCE/9000 Version 1.6 
on HP-UX 10.30. 
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HP DCE 9000Version 1.6Documentation 

Dcxiumentation for H P DCE/9000 Version 1.6 consists of printed 
manuals and online documentation. 

For information about documentation for the FI P DCE application 
development tools, seethe FIP DCE/9000 Version 1.6 Application 
Development Tools for FIP-UX 10.30 Release Note (B3193-90021). 

Printed Documentation 

The following printed documents describe FI P DCE 1.6: 

• HP DCE/9000 Version 1.6 for HP-UX 10.30 Release Note 
(B3190-90070) (this document) 

• HP DCE/9000 Version 1.6 U.S./Canada Softwarefor HP-UX 10.30 
Release Note (B3864-90005) 

• H P DCE/9000 Version 1.6 Planning and Configuring H P DCE 1.6 
(B3190-90071) 

This manual replaces the OSF DCE manual OSF DCE 
Administration Guide Volume 1; it also describes features specific to 
HP DCE. 

• TheOSF DCE 1.1 documentation set published by Prentice-Hall: 

/ I ntroduction to OSF DCE (B3190-90046) 

/ OSF DCE Command Rd'erencelBSlOO-OOOCS) 

/ OSF DCE Administration GuideVolume2— Core 
Components(B3190-90048) 

/ OSF DCE DFS Administration Guideand Reference 
(B3190-90049) 

/ TheOSF DCE Application Development Rd'erence(B3190-90037) 

/ OSF DCE Application Development Guide Volume 1— 
Introduction and StyleGuide(B3190-90038) 

/ OSF DCE Application Development Guide Volume 2—Core 
Components (B3190-90039) 
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/ OSF DCE Application De/dopment GuideVolume3— Directory 
Services (B3190-90040) 

• The following two books published by O'Reilly & Associates: 

/ Understanding DCE (B3190-90018) 

/ Guideto Writing DCE Applications (B3190-90029) 

For general information on installing software on FIP-UX 10.30 systems, 
see I nstal I i ng FI P-U X 10.30 and U pdati ng FI P-U X lO.X to 10.30 
(B2355-90126). 

For general information about programming with threads on FIP-UX 
10.30, see Programming with Threads on FIP-UX (B2355-90060). 

Online Documentation for HP DCE 1.6 

The online documentation for FIP DCE 1.6 consists of release notes, man 
pages, FI P DCE online help, and embedded online help for the FI P DCE 
Cell Administration tools. 

Online Release Notes 

An online version of the U.S./Canada release note (FI P DCE/ 9000 
Version 1.6 U.S./Canada Softwarefor FIP-UX 10.30 RdeaseNote) is 
provided in the directory/opt/dce/ newconfig/RdNotes. This directory 
also contains the release note for the FI P DCE client software 
(FIP DCE/9000 Version 1.6 Client Softwarefor FIP-UX 10.30 Rdease 
Note) The Client Software release note is provided online only. 

Man Pages 

Reference pages describing DCE commands and calls are available 
online in the form of man pages. 

There are two styles of man page headers: 

• "OSF"or "Open Software Foundation" - This header means that the 
man page originates from OSF and has not been changed by FIP. 

• "FI P DCE" - This header means that the man page either originates 
from FI P or is an OSF man page that FI P has changed. 
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HP DCE man pages are in the following directories: 

/opt/dee/share/man 
/opt/dee/usr/man 
/usr/share/man 

To read DCE man pages by using the man command, include the path 
names listed above in your MAN PATH shell environment variable. 


NOTE Use the following command todisplay the dts_update man page: 

man cits_upciate 


HP DCE Online Help 

HP DCE/9000 offers a DCE Online Help feature that provides 
information about various aspects of HP DCE. DCE Online Help is 
integrated into the HP Help System, so you can access it from theCDE 
Front Panel help icon. 


NOTE This feature is supported on X-based displays only; it is not available on 

ASCI I terminals. 


This version of H P DCE/9000 Online Help contains the foil owing kinds of 
help: 

• Guide to HP DCE/9000 hardcopy documentation. Provides a list of 
the manuals available for HP DCE/9000. 

• Access to H P DCE/9000 M an Pages. 


NOTE The main menu of the Help Manager lists the HP DCE/9000 Application 

Development Tools Release Notes and HP DCE Sample Applications. 
These help topics are available only if the H P DCE/9000 Application 
Development Tools optional product is installed. 

Accessing DCE Online Help From CDE 

You can access the DCE Online Help from the Front Panel or from a 
shel I. 

To access the DCE Online Help from the Front Panel, follow these steps: 

1. Click on the Front Panel help icon (the "?"). A "Welcometo Help 
Manager" help window appears. 
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2. In the Help Manager window, click on the "HP DCE/9000, Version 
1.6" product-family title. A list of theHP/DCE 9000 help volumes 
appears. 

3. To display a help volume, click on its title. 

To access the DCE Online Help from a shell prompt, enter this command: 

/usr/dt/bin/dthelpview -h DCEwelcome 

This displays an introductory help window that has hyperlinks to all of 
the other help volumes in the HP DCE Online Help system. 

N ote that you can press the F1 key i n any hel p wi ndow to get hel p on 
using the help system. 

Embedded Online Help for HP DCE Cell 
Administration Tools 

The H P DCE DCM, Account Manager, and CDS Browser tools are 
provided with online help. 

HP DMS also has context-sensitive help as provided by HP GlancePlus. 
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This chapter describes how HP DC E/9000 Version 1.6 on HP-UX 10.30 is 
iocaiized. 
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HP DCE/9000 Version 1.6 Localization 

HP DCE 1.6 is Icxialized for thej apanese market. HP provides localized 
message catalogs in both Shift-J IS and EUC encoding. Consult your 
Hewlett-Packard sales representative for detailed information about the 
J apanese-localized version of HP DCE 1.6. 
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